All,
To address ISSUE-25 [1] I'd like to propose the following changes. I hope we can discuss this later in the week.
1) To Section 6, Privacy Considerations, replace the last sentence of the "Super-cookies" section ('This is especially true for keys that were pre-provisioned for particular origins and for which no user interaction was provided') with a more detailed separate section:
"Pre-shared keys
Pre-shared keys may be long-lived and may be securely associated with specific hardware elements. Without sufficient safeguards it may be possible for an origin to identify a user or device without the knowledge or consent of the user. Access to pre-shared keys SHOULD require explicit user authorization on a per origin basis. User Agents supporting pre-shared keys SHOULD ensure that each origin receives a unique origin-specific pre-shared key. This could be accomplished, for example, by transforming an origin-independent secret using a suitable origin-specific one-way function."
2) To Section 10 (Key interface) [or wherever is most appropriate], add new sub-section, as follows:
"10.2 Pre-shared keys
User Agents MAY expose origin-specific pre-shared keys as Key objects visible within the keys attribute of the Crypto interface. Examples of pre-shared keys include keys stored in secure hardware elements.
10.2.1 Pre-shared key pairs and certificates
Where a pre-shared public/private key pair has an associated X.509 certificate, this certificate SHOULD be made available in a property named "x509certificate" within the extra attribute of the Key object. The "x509certificate" property contains the base64 encoding of the â€¦ <specify encoding of X.509 certificate here>.
10.2.2 Pre-shared symmetric keys and identities
Where a pre-shared symmetric key has an associated globally unique identity, this identity SHOULD be made available in a property named "uid" within the extra attribute of the Key object. The "uid" property contains the base64 encoding of the bytes of the globally unique identity."
â€¦Mark
[1] http://www.w3.org/2012/webcrypto/track/issues/25